Expert advice on cybersecurity, cybersafety and cybercrime. Using real incidents, I explain why cyber risks occur, what form they take, and how they affect cybercitizens as individuals, employees, citizens and parents. Opinions expressed in this blog represent my personal views

Pages

Monday, September 3, 2012

Security controls have side effects which affect user experience

Most security
controls are like drugs which cure potent diseases but bring along undesirable
side effects. These side effects affect
the ease of use of most electronic devices such as ATM’s, biometric devices, login on or even enrollment on web
sites. Design of controls must focus on how controls can be misused to
eliminate or reduce these side effects. The best way, though difficult to
implement, is to tuck security in the background where it works silently and invisibly.
Would we all not like to pay using our credit card
online, without the filling in of a lengthy form?

Take the case
of the Reserve Bank of India (RBI) doing away with the cash retraction systems
in ATM’s as it found that there were large numbers of dubious claims on the non
receipt of cash.The security feature
helped customers in instances when ATM’s did not disburse cash quickly and was
left behind by customers who thought the ATM was not working.

Another example
is the locking of accounts after a fixed number of failed authentication attempts.
This feature protected users from a variety of automated password attacks, reducing
the risk of account compromise where the password strength was low. The same
feature can also be used to create a minor inconvenience, if the account is
deliberately locked by malicious individuals.

CAPTCHA is
another feature, which prevents automated attacks during enrollment on web sites,
but with the sophistication in machine reading the design of CAPTCHA phrases
are becoming complicated for humans to read too. Invariably user success comes
after a few tries.

There are
many more such examples. Our challenge is to recognize the side effects and
work out ways to minimize them, rather than let customers live with them. This requires
better architectural designs and innovation in security technology.

Awards

About Me

Security author and passionate blogger @LuciusonSecurity writing on risks that affect Internet users such as cyber crime, defamation, impersonation, privacy and security. Working hard to reduce cyber risks to some of the world's largest businesses. Find me on Twitter @luciuslobo or Linkedin at http://in.linkedin.com/in/luciuslobo